autocommand access-enable (lock&key)

 | 29 Jul 2006 02:31

Maybe this post will enable me to remember this feature. I hadn’t heard of it untill I was at Heinz’s CCIE R&S bootcamp last June.

The idea is that a user can log into a system and then that system will grant access to some traffic for a period of time. Nice heh, well be carefull it uses extended access-lists so the normal anti spoofing measures still need to be taken. So how do we do this then? Simply follow these steps:

# use a local account instead of the vty password:
line vty 0 4
login local
!
# User account to open the ACL dynamically:
username djerk password 123456
# User is allowed to open the ACL, sadly you can’t specify the ACL so all ACL’s will be opened by this user!
# The timeout value is the idle timeout!
username djerk autocommand access-enable host timeout 2
!
# The lock&key ACL:
ip access-list extended NACL-lock&key
remark *** Permit user:djerk to open this ACL (lock&key) ***
# Permit user access if he has to traverse this ACL
permit tcp host 1.1.1.1 2.2.2.2 eq telnet
# Careful: timeout of the dynamic rule is in minutes
# The rule in the dynamic line will be installed into the ACL once the user has authenticated
dynamic DYN-lock&key timeout 10 permit tcp any any eq telnet
deny tcp any any eq telnet
permit ip any any
!
# Apply the ACL to the interface:
interface F0/0
ip access-group NACL-lock&key in

The idle timeout of the access list is configured in the autocommand. It is overridden by the absolute timeout in the dynamic access list.

The above config is from CCO minor changes and comments by me 🙂

No Responses to “autocommand access-enable (lock&key)”